Social Engineering Networks

1
Social Engineering Networks

• Reid Chapman
• Ciaran Hannigan

2
What is Social Engineering

• Social Engineering is the art of manipulating
  people into performing actions or divulging
  confidential information.
• This type of attack is non-technical and rely
  heavily on human interaction.

3
Social Engineering

• Hackers use Social Engineering attacks to obtain
  information that will allow him/her to gain
  unauthorized access to a valued system and the
  information that resides on that system.

4
History of Social Engineering

• The term Social Engineering was made popular
  ex-computer criminal Kevin Mitnick.
• Confessed to illegally accessing private networks
  and possession of forged documents.
• Claimed to of only used Social Engineering
  techniques with no help from software programs.

5
Types of Attacks

• Pretexting
• On-Line Social Engineering
• Reverse Social Engineering
• Phone Social Engineering

6
Pretexting

• The act of creating and using an invented
  situation in order to convince a target to
  release information or grant access to sensitive
  materials.
• This type of attack is usually implemented over
  the phone and can be used to obtain customer
  information, phone records, banking records and
  is also used by private investigators.

7
Pretexting cont

• The hacker will disguise their identity in order
  to ask a series of questions intended to get the
  information he/she is wanting from their target.
• By asking these questions the victim will
  unknowingly provide the attacker with all the
  information the hacker needs to carry out their
  attack.

8
Online Social Engineering

• This attack exploits the fact that many users use
  the same password for all their accounts online
  such as for their e-mail, banking, or facebook
  accounts.
• So once an attacker has access to one account
  he/she has admittance to all of them.

9
Online cont

• Another common online attack is for a hacker to
  pretend to be a network admin and send out emails
  which request usernames and passwords, this
  attack is not as common or successful because
  people have become more conscious of this type of
  attack.

10
Reverse Social Engineering

• Probably the least used of the attacks.
• Requires extensive research and planning.
• The key is to establish yourself in a position of
  authority and have your targets come to you.
• Giving you a better chance of retrieving info.

11
Reverse Social Engineering

• This form of attack can be divided into three
  stages.
• Stage one - Sabotage Cause a problem (Crash the
  network)
• Stage two - Advertise Send out notice that you
  are the one to go to to solve the problem.
• Stage three - Assist Help the employees and get
  from them the info you came for.
• When all is done you fix the problem, leave, and
  no one is the wiser because the problem is fixed
  and everyone is happy.

12
Phone Social Engineering

• The most common practice of social engineering
• A Hacker will call someone up and imitate a
  person of authority and slowly retrieve
  information from them.
• Help Desks are incredible vunerable to this type
  of attack.

13
Help Desks are Gold Mines

• Its main purpose is to help. Putting them at a
  disadvantage against an attacker.
• People employed at a help desk usually are being
  paid next to nothing. Giving them little
  incentive to do anything but answer the questions
  and move onto the next phone call.
• So how do you protect yourself?

14
Protecting Against These Attacks

• As you know these attacks can take two different
  approaches Physical and Psychological
• The physical aspect the workplace, over the
  phone, dumpster diving, and on-line.
• The psychological aspect persuasion,
  impersonation, ingratiation, conformity, and good
  ol fashion friendliness

15
How To Defend Against the Physical

• Check and Verify all personnel entering the
  establishment.
• More important files should be locked up.
• Shred all important papers before disposing.
• Erase all magnetic media (hard drives, disks).
• All machines on the network should be well
  protected by passwords.
• Lock and store dumpsters in secure areas.

16
Security Policies and Training!!!

• Corporations make the mistake of only protecting
  themselves from the physical aspect leaving them
  almost helpless to the psychological attacks
  hackers commonly use.
• Advantage Alleviates responsibility of worker
  to make judgment call on the hackers request.
• Policy should address aspects of access control
  and password changes and protection.
• Locks, IDs, and shredders are important and
  should be required for all employees.
• Set it in Stone Violations should be well known
  and well enforced.

17
Security Policies and Training!!!

• All employees should know how to keep
  confidential information safe.
• All new employees should attend a security
  orientation
• All employees should attend an annual refresher
  course on these matters.
• Also sending emails to employees concerning this
  matter how to spot an attacker, methods in
  preventing them from falling victim, and stories
  of current and landmark cases on Social
  Engineering.

18
Spotting an Attack

• What to look for refusal to give contact
  information, rushing, name-dropping,
  intimidation, small mistakes, and requesting
  protected information.
• Put yourself in their shoes. Think like a
  hacker.

19
What to do for the Average Joe

• DO NOT DISCLOSE ANY PERSONAL INFORMATION UNLESS
  PERSON AND/OR SITE IS TRUSTED.
• Dont fall prey to all the get rich quick
  schemes.
• Update your security software regularly.
• Have a strong password and change it regularly.
  Try not to have the same one for all your
  passwords.
• Shred your important papers before throwing them
  out.